CSF and Country Blocking

SlapHappy

Registered
Jul 8, 2014
3
0
1
cPanel Access Level
Reseller Owner
We have a vps (WHM) running CSF that is currently blocking China via the Country Block option. Unfortunately we have clients that now have regular contact with China based suppliers and it appears the country block is stopping legitimate emails being received.

Is there a way to allow specific domains/ip's to bypass the CSF country block?
 

keat63

Well-Known Member
Nov 20, 2014
1,854
226
93
cPanel Access Level
Root Administrator
If you know the IP's of the customers, then whitelisting these (adding to the allow list) should work.
I've considered having only port 25 pen to china, but not yet figured out how I can do this easily.
 
  • Like
Reactions: kadrin

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston
Specific IP's in the whitelist should take precedence over the country blocking as far as I am aware.

@keat63 have you looked at the following?:


Code:
# An alternative to CC_ALLOW is to only allow access from the following
# countries but still filter based on the port and packets rules. All other
# connections are dropped
CC_ALLOW_FILTER = ""

# This option allows access from the following countries to specific ports
# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP
#
# Note: The rules for this feature are inserted after the allow and deny
# rules to still allow blocking of IP addresses
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_ALLOW_PORTS = ""
 

SlapHappy

Registered
Jul 8, 2014
3
0
1
cPanel Access Level
Reseller Owner
White-listing IP's has worked in the past for some cases, but lately it has been been hit and miss. We white-list every IP we can see related to the incoming message but it still never arrives. My guess is that maybe the IP addresses are obfuscated in some fashion.

With clients getting restless we removed CN from the country block list for now
 

keat63

Well-Known Member
Nov 20, 2014
1,854
226
93
cPanel Access Level
Root Administrator
This feature I can't get my head around.
Rather than blocking a small handful of countries, this feature sounds like you block everything and then allow only the countries you want.
Sort of the opposite ??

I'm currently toying with

CC_DENY_PORTS

I added CN.

Then in CC_DENY_PORTS_TCP
I added 20,21,53,80,443,2077,2078,2086,2095,2096

Although I'm sure there are many ports I'm missing.
 
Last edited:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston
IT is a bit of the opposite but seemed like the only way to do what was requested using CC blocking. CSF may have some more detailed uses for this or a way to implement what is being requested on their forums as well.